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i'ili keLited AppraK lUid hitcrfcrcutes 

' appcli :s no; o^v jk' »• on\ -ippe^jK or interferences related to the above-identified 

Ssii.) Statsss of < fijini*. 

Jar.c o, '0<x scK;cni id olu: iKs ; : i ^iid " ' 11 - I'lc cl u.n *V .<it n V I" 

x^civ- c>ia'.i.sca 1 iic^ ^ l!.;sc r-i.ci^ '\viC!.' 'c\^tt.d .Mr- , a? > - . i' sul> vvSo 
,h-s apnc..: 

iis.i >tat«<5 of \mcjid3ne«t!> 

This Appeal Brief is accompanied by a Reply to correct minor typographical errors in 
ciaisTLS 63 and 7ik Since this ayricndrncni is bcjiig filed as a rnaiicr of right, the umciidrnenl will 
ncccissaiily hiivc lo be entere-d by iho examiner. Au'cordingly, all arneadirit-nts have beeii entered. 
Appellant has filed herewith a new Notice of Appeal. Appellant previously filed a Notice of 
Appeal oj-i December S4. 2005 and an Appeal Briei on MuYch 7, 2(){56, Jht- cxumsner replied 
wu.h ib:C above idcnJificil offiec action from which Appellant aow appeals rrom. 

(vj Sisoimary of Claimed Subject Matter 

One aspect of Appellant's invention is set out in claim 1 as a machine implemented 
n-;etlu>d of vrK^riiioring traffic flow in a rnoQiioring dev ice disposed ;.o receive neiwcrk iraiTic 
packets. ''Reterring to }■ l<}. 6, a rnorvitoni\g process 32 is shov%n. riic monitoring pk icess 32 can 
he deployed on data ci>i lectors 28 as well a.s gateways 26." | Appellant's specification Page 13, 

Imes 24-271. 



Inventive ic;rajrcs of claim 1 iiicludo producing staii^lics corrcspondisxi; to a paraj-sicter o 
trailic flow i--^ trace die source of a-! aSack. ^'Rciaring to FIG. 4, the daia cc-ilecJor 26 pcjitrrnLs 
40 a ^-iarnpiii^g arid ^tatisiic collect-on process 40, The data collector samples 42 one { 1 ) ruickct ' 
every (n) packi-is arid has coiJjncrs to collect stadslics abviUi cvcvy packet" j Appeilanf s 
specisicauois Page 9, iiiics i 1-14]. ''The gateways 26 and data C(>1 lectors have iTiorsiioratg 
process 32 Lsscd to meusiirc soma paranicicr of traffic How, One goal of the gateways 26 and 
daf.a collectors 28 is tri n-;easare i-i>me parattieler of network U-aific. This irdbrrnatior; coliccicd 
by th-L.- gateways 26 astd data collectors is i-sed io trace the source of an attack,"" [Appellants 
specilicaticm Page 14, Imcs 5-10], 

Invetiiwe features of claim I include mapping the traffic How into a plurality ofbuckets 
by applying a hash function "f(h)" to the parameter of the traffic -flow to output an integer 
concspovidivig to or-se of the buekeis. "The algoriii-iBt vvill use sonic bash furici;<.!n '''fi bf', wiiicb 
lakes the packet arsd outputs an iiitcgcr thai eon esp'onds lo osit of the buckets ^is? - Bk/"" 
[Appellasrrs spcciijcaiion Page 14, lines 18--2i i. 

Invtntive feaasres ofelairn 1 ineUide accunuiiaiirig statistics fro-rr! the paeke!.s avui 
con-iparij^g Uic iuiiViber ;>i' bv:ck£ts to a threshold "Statistics frojn the packets start aceurnulat.ing 
in the buckets "B; - B^;'\ "the buckets "B( - B;./'' are coDtigurcil with threshold values 'Th." /\s 
the contejtts of the buckets B-; - B:.; reach tk.c configured thresholds values "Tlf". (e.g., ct;rnparc 
va.lues ofpaekci. coij.tn or packet rate i<.i tbrcshoid). the monitoring process 32 deems that, event t 
"oe of sig-iilleance." [Appellant's specification Page 14, lines 2l-2.'5]. 

bvveraive features csf claim 1 include dete-nining whether the nan-bcr ol buckets should 
be di\'idcJ mto trsore huekets or eon-biued into fewer buckets "sased c-n comparing the ;n.srnbcr i>' 
buckets to tlsc llircsl-okt "As the gateway 26 or data collector 28 approaches a buckei threshold 
" riA. the gateway 26 or data eollecior 2B have the ability tc.i take several buckets B; ■- B^ and 
duvidc them ;n mfa-e buckets B; - ■ &i or ci..;mbinc them into tower btxcket fb B-,." I Appell.artt's 
Specification Page 15, lines 18-22].. 
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Claim J 4 

(■"iaini 14 cuxim^i another aspeci of The invcntioii, (;Iai.ir= 14 is a conipuier progriSiTi 
pKiducl rcsKling on a u-ornpUiCr rcLKlabk; for vnonitonng SiCiwovk traffic fiosv in a network, 
[Appellant's specification Page 2, lines 8-12]. The gateway 26 and data collector 26 are typically 
soltwart prograrrKs iVkU ^^rc exoctued on dovicos such us coi'svpiitcrs, roiiters, or >^;\vss.cbe>;. 
[Appe[larvt's speciScaUo« Page 9, lines 6-8]. 

]n^■e■■i;ivo fe.inrsres ■-■t'ciairn 14 iiK-iudc .ixistructikjus to snap traiiic fio^v iiUo a piuraliiy sH' 
buckci;-i by appls-irig a itash iusiction -%\\y' to a parameter of the irattic tiow to output integer 
c<)rrcsporjdirjg to onu of tk; buckets. This featui-e is supported as; iha atiak*gous feature ol Qhiim I, 

Inveniivc it^atares (..si clairii 14 include instruction.s io aecunsuhUe stausiics front the 
packets and coir=pa!'e the accumuhited slaasijc vaiises Iroro the buckets ;.o cootigurcd thresinoid 
values con-espe.ndh;g to lite number vd buckcLS to determine tiiat aii event is u'l sigriificanec. This 
feature is supported as the analogous feawre of claim 1. 

Inventive features oi ciaLni 14 include instrueiiorui to adjust the nurnher oi" buckets as the 
■iusriher of bueket;? approaches a second tiireshold. fhia feature is suppo-ted as tlse avudogous 
feature of claim 1. 

CNmli 

Anotiier aspcci of tise irn cfUion is coverc-d by ckisni 21, dahvs t is direcied to a data 
collector to collect statistical infbrtnation about network flows, "'Referring to FIG. 4, the data 
Ci;jlector 26 perSorn-s "Ki a sampling and statistic c<.)nection process 40. Fhc data c; ■iiecti-r 
samples 42 one (1 > packet in every in) packets and has c<5uniers to codec!, v^taiistics about every 
packet." 1 Appellant's :speeification Page 9, lines 11-14]. 

Inventive feature:.-i of k,dai.m iocuide a computer readable medium and a computiiig 
device ti;as. e.Kceutes a compi.aer program preniiict stored v^n the computer readable rnediunr 
"The gateway 2o and data collector 26 are typically software programs that arc executed on 
dcviees such as aa'oputers, routers, or switches.'' [Appellant's speeifieaiiou I'age v., lines 6-8j. 

Invents ve iVatures of claim 21 include in^trueiions to map traaic tiow i.tuo a pluvaisty <d~ 
buckets by applying a hash .hmclion "f|h)" to the parameter of the traffic flow to output m 



integer corrcspondin.::- lo one of the buckcls. This ieatare is siippr,ncd as the fiiialogous tsamre of 
claiiB 1 

invtntis'e icalurt-s of ckibn 21 i-Kludc irfSlruetions to accun-sulaie statistics Irofn the 
packets uiui compare the accuniulatcd statistic values froni the buckets to configured threshold 
values eonesponding U) the number of buckeis to detentiine that an event is of sigiiiilcancc. 
adjusi; the riurnbc!- of buckets us the nurnbcr of hiickcts approaches ;t second th=resboid. This 
Icuture is su;ppon,cd as rhi- arudogous feature ofclann i . 

Ciairrj 63 is directed lo a rncihod of moniioring traffic tlow hi a rncadtor deviee disrjoscd 
to receive network packeis. This fealure is supported as die analogous feature of ckdrn 1 . 

hivcutivc features oi'cbrirn 63 inciudc producing sttuistics correspcndii^g i;; a puraineier 
of the fniffjc tlow to trace :5 source ofast attack. This feature is suppr,rted as Uxv anuiogous 
feature of claim s , 

is-vesujve features of Ciaiiri 63 include mapping fUe irafiic fliiw into a plurality of buckets, 
litis Icature i^; ^^ly-poned as liic arialog'.His feature td" claim 1, 

Iftvcntivc IcatLires of ckuTti 53 iftckidc vfuyirig ih:C riurrsbcr of buckcta accv>rdiug to the 
amount oJ traftie and number of .flows to breakdown traffic flow into different buckets. '\As the 
gateway 26 or data eolieetor 2S approaches a bucket threshoki ''ld-.f\ the gritcsvay 26 or data 
col lex-tor 28 have the ability to lake several buckets B; - B> and divide thern in more buckets B\ 
Ba or corvibine ihern iutc; fewer boeket B: ■- B;., i Appel hint's .speGiiscadon l^agc i.'5, fines I8~ 

Inventive features of claim 63 also include anaiyzirsg statistics accurnulauxi for a 
paranieter arul a corresponding tiircshokl in the bucket to identiiy the source of the aUack. " The 
tijoctioit xyf the varsabh; number id buckets is to dyiiarnicafly adiust the ntonitormg prucess t.v the 
amount of trattk; and nunu.>er of flows, sc> that the monitoring device (e.g., gateway 26 or ilata 
coHect<.>r 28) is uot vuhu^rablc to DoS attacks against its own. resources. The variable number of 
lH.i.\c'^ a>No cr^jcu ^ Oenai\^ .he -oustct ^) oi aaaek '-^te.:. n- oovr u- d^^'e .r. 



A 

ca!.egor;cs (buckets) -.md lofikini: ai the appropriatt paran-!eu.'is aiid thresholds iii eaci:: bucket/" 
[AppcHanfs spccificaliors P^jgc 15, iiiies 23-31]. 

Clmxn 10 -N directed to a computer program product re-^idiris/ on a coiupuf.er readable 
rnedsmrj for srionhoring u-affic i'k>w in a niosutor devk-t disposed lo rccoivt.-. yjctwoTk pfickcis. 
This teaturc is supporicd the asKdogou.s feiitLrre of clarni 1, 

inventive icaiurcs of ciairn 7{; ivickide insiruLlioruS U) r>r<jducf. statistic^ corrci^pos-ding to a 
paranieter <d'the traffic flow io trace a source of ari ailack. Hv;^; tbature is suppoded as the 
anoi<:!g<)L!S fcalurt (d elaine [ 

In ven d ve features of claim 70 in addition include instructions to map the traffic flow into 
plurality of buckets. Thij: feature h supported as the ajialogou;-; featurs.- of ciairr; I , 

Ir:VOird\ c features- of clauri 70 also incUuie instructions io vary lite number ol'buckeis 
accordirsg to liie aniouni (ii'tradk' md ■lumber of Ocsws; breakd(>\vr; tlie traffic favvv -nto 
diilcreut buckets. 1 1ds feature is supported aa the anidiogous feature of ciairr; 63, 

Inventive features of claim 70 also include instrucdons to analyze statistics accumulated 
for a pararueter and a corre>^potuiing tbrcdhold in the bucket i.o ideniify a source of d^.c adack. 
This leatiire is supporied a^; t!ie aradogous feature of claim 63. 

( vi.) Gfoii.suls of .Rejection to hi- Reviewed on .Appeal 

1. ClaiiT5 63 stancK-i rejected under 35 Ij.S.C. 1 12, second paragrapi!, as being uKkdiriitc 
for [ailing to particularly point out and disdiictiy claim tiic subject iTjatter which appheam. 
regards as tlie inveritiors. .More speci dcally it is not c!e;u what is further crsniprisdig. 

2. CMxm 63-08 aud 70-75 stand rejected under 35 IJ.S.C. 102(0) as being anticrpated by 
Ly\c et al td^S o3)7L02S) hereinatrer referred to as Lyie. 

3. Claims 1-21 , 50-o2, 69. and 76-77 stand rejected under 35 U.S.C. 103(a) as being 
onpaien.tabie over hyb-' fui-t.ber in vievv' of fisu et ai ((.IS 0,09.8 J 57 ; hereinafter referred to as l isu. 
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Amicip ation 

"It IS well sciilsd that af5ticipatiun under 35 U S,C. §102 requires the presence in a single 
reiv-enue of all ol'tbc clerranits; of a claimed inveniiv>n." /r.tp.jrrf Chopra, 2:-9 U.SfP.Q'. 230, 

"Arsticinati^;!' requires the pre.sciicc in a sirsgie prior urt dij~cicj-Nurc v>f aii ciciiicriLs ofa 
claimed invention arranged as in the claim," Connell v, Smrs, Roebuck <fe Co.-, 220 U.S.P.Q, 
193, 198 (Fed. Cir. 1983). 

" This court lias rcpeaicdly stiued ihal the defense (U lack of novelty (i.e., 'anticirJation') 
can only be csiabhshed by a single prior art retcrcTice wbich: diricloses e;icli and every elenieni of 
the claimed invention." Stmciural Rubber Prod Co. v. Park Rubber Co.. 223 U,S.P,0. 1264, 
]27'(.' (Fed. Cir. iv8-l i, citrP.g five pnor h'cuerai (^^ircuil dcCLsiOiis since 19S3 irscludhtg Cofincil. 

m a hitcr .iiiialogoi-s c;ise the Court of .Appeals lor tlie Federal Circuit again .applied tniN 
rule in reversirjg a denial ofa motion for judgment n.o.v. after a jury finding that claims were 
anticipated. Jamesbury Corp. v, Litton Imhsuiai Prod., Inc., 225 US.P.Q. 253 (Fed. Cir. 1985). 

.After quoting frorfi ( Vwzjih.-//. "Anucipation requires fne presence in a sisigie prior art 
disclosure of all eicnicnts ofa dain-sed invention arrarsgcd a.-s in iho claii-!!," 2;."!5 I.LS.P.Q. at 2.Mx 
the court observed that die paientce accomplished a uonstar-t tight contaci in a ball valve by a lip 
i.>n the seal or ri-ig widcb inierieres widi the placenieru. oFihe ball. Tiic lip protruded rnu; the 
area Vvbcre the bail ^vdi be placed afui \\'as thus det!ecic<.l alter Ihe ball was asserubied. iiiio the 
valve. Ik-causc -ui thi.s Cinistani pressure, ihe patented valve was described a;^ providing a 
pai-vieularly gc^iid seal wlu-si reguiatiiig a i<.:>\v pressure strcayn. The court quoted with appro\-al 
from a 1967 Court of Claims decision adopting tlie opinion of then Commissioner and later 
Judge Dosiaid B, Lane: 

|T ihe tcrru "engaging the ball" recited in claivra; ? and 8 
nieasis diat tiic lip cofiiaeis ihe ball with suliiclent force to 
provide a Huid tighl seal **** Inc Saunders tlarige or lip 
ordy .scaiuygiy engages the hall 1 on ihe upstream .side when 
die fluid pressure lorcca the lip against the biiii and ne^•■er 
scuhngh t'ngxa&es die ball on ilie dovvnstrcan; side because 
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Sherc i;s no tluid r.n ea.surc; there to force the lip itgainst tbu- 
ball The Saunders sealing nng pr-ovidcs a compression 
type of seal whieh dei>eT\ds upon the bail pres^'ing inti; ihe 
n^ai.. r:al of th^- nn-. " =^ 1 lie se.d of ^.uir.ders ,iepe-.hK 
piimarilv on the contact between the ball mm ihe b(;d> of 
the sealing rijig, and the flange or lip scalivigly eoniacts ibse 
ball on die upstrcasn side when the nuid pres^iine iricreasey. 
225 U.S.P.q' at 258. 

Relying on Jameshun\ tilt- ITC^ said, "Antieipaiii.nt requires looking at a reference, and 
comparing the disciosuTe of ilic rei'erence wU.li ihe claims of the patent in suit, A elainicd device 
i>^ anticipated if a airigic prioT ai't referefiee discloses all the elcnierits of the claimed invention as 
ana^^ce s , d^e c\ n^ ' , << i.. i ' ' />/ / I), - <. <fu' i < n-; 2^"" 

U,S.P.O. 982, 985 (U.S. ITC 1985). 

QlwioMsness 

"It is wcil estahlisl-ed d>a;. d)e burden is on the Pl'O to cstaiylish a prima facie sbovvsug of 
obviousness, hi re FriudL 972 P'.2d. 1260, 2? l:.S.P.Q.2d 1 780 ((f.C.P.A,, i9"'2)/' 

^'U is sveli cstabbsh:cd that fnci'c must be some li.'sgieal reasin': apparent f;-o;n tl-e evidence 
or record to justify combination or modification of references!. In re Regal 526 F,2d 1399 1 88, 
U.SfP.Q.2d 136 ((\C.F.A. 1975). In addition,, even if ail t.d th.c dements of claims are disclosed 
isi various prior art relererices, the ciaiyned inveyuii..ai taken a,s a vd-iOle cainiot be said to be 
obvious without sonvc rcas4>n green in the prior an why one of ordinary akili in the art would 
have been pyonipled to eonVhine flit teaeliings of the references to arrrve at the eiairned investtion. 
Id. Kven if the cited references show the various elements suggested by the iixarnn-er in ordc? to 
support a eor^elrusior. that it woiild iia\e beesi obvious to eoi-stbine tlie cited references, tl.e 
rcfcreiKX^^j must ctther expressly or impbedly suggest the claimed combination or the tixamjner 
must presera a convinciiig line of reas;.ming a.s lo why otie skilled in the art would liave iburid tlie 
clainKx! invcnticn obvious in Ugiit of tr.e teachings ol the reitrences-. /:> Fane Ciapp, 227 
U.S.\>.Q2d 972, 973 (Board. Pat. App. & Inf. 9«5j." 
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"The more faet iim prior art ijoidd be sl; niodiiied svoLild .not lui\-e i nade flu.- 

nuKliiu:alii :!i ohvioiu^ unless the prior an ^aggested the desirab;liiy of ihc rriodincatio;^." Jr, 

GordoH,::!) iJS.PQ 1125, 1 127 { hed. Cir. 1984). 

Althougl! the C?osnniissioncr suggests thai [the siruclure irt the 
primary prior an relercnee] eoidd iC£.idjiy be n\odiiied Uy hnm Lhe 
[ch)in\ed] sirjcture, "itjiit' inere iact that the pri<>r art eould be so 
rrjodii'ied would not have made the ri^odifseation obvir.us unless the 
prior art suggested il-e dcsinibiiiVy of the modifieation." lu re 
Lmkowski^io U.S.P.Q, 2d 1397, 1398 (Fed, Cir. 1.989). 

"'I'hc elauricd irsvesdsori nuist be considered as a whole, asid the qtus o u\ ^ <1 e 
iy a'..vfr;cd'!ing in liu- prior art as a \.vhi.f]c lo suggest the tjcsirability, iind ti\us oo' s-iks' >l 

tiiaking the coiTibiriation," Linciensann MaschiiWiifahrik GMBH v. Amenca>> -> <X \ > ^'x 
221 U.S.P.Q. 48 L 4S8 sFed. Cir. \<-mi 

Obv-ousncoS eannot be t-suablished by combining the tcaeld.ngs ef 
tiu^ prior an to produee ib=e clainied invt-TsiioiL absent some 
teachifig or suggestii.>;i supporting tite eoinbinatioi:. Under Scetiia"; 

10.3, teacniz's.s.;,? of relerenees ean be eeisnbiried only if diere is some 
suggestion or incentive lo do so. ACS Hospital Systems, Inc. v. 

\UuKOior.' li'j.pihil. Ill l.\?;,r,Q. V2-\ >'i3 (red. dir. 1 9^:4) 
(erviphasis in originai, fboinoies oniittet.!). 

^'T'he eritieal inqisiry is whether 'ihcrf is somethiiig in the prior m a wjude to suggosi 
the desirability, and thus the obviousness, of making the combination.*" Fromson v. Advance 
Ofjsei Flaii'. Inc., 225 U.S.P.Q, 26.. 3i (.inxl. Cir. 198.5). 

.1 , CMm 63, as amended, is proper uiuJer 35 
U.S.C, 112, second paragraph. 

Appeilunt luis amended ckn 
nis 63 arid />) in the aceonipanving Reply to clanfy a pi^rasc in the claim;- and delete exiianeoas 
v,'r.rds, "1 be feature now reviles: ''vary tlie iiuniber i.d'budvi-ts aecording to ti;e arrsviunt ortra.t,t]c 
and number i-f dowa to ty-eakdovv-i die trailie flow into diftVresii bneket>5.'\. e.g,, for ehsinj 63. .As 




amauied, clain- 63 is proper under 35 I'.S.C. 1 i 2, second paragr«pi-L A-KilogOLis anienunicnts 
v\ c-re- made io ciaivn 7(.l yince claim 70 had smiiiar typogniphicai eiTors. 

2. tlasms 63-68 Ami 70-75 art- not 
anticipated by I. vie et al ^l!S 6J>7L028). 

("laims 63, 66. 70 and 73 

l--:.>i- ilic purposes of this appeal only clainis 63, 66, 70 and 73 staiid or (ail logcthcr 
Ciaiin 63 is repri;;;critativc of this group of chiinis. 

Claim 63 is dircacd it.; a rnelhod ofmoiiiionng irafllc ilosv .ir\ ;5 iViOititor device disposed 
to receive iHlw(>rk iTi^iHc packets. Chmn 63 iiidudcs the features of producing siatishcs 
corre^^poiklirig to a parameter of traffic tlo%v lo trace the sruirce of an attack. According to claim 
63 prtidueirig inckH.lcs r.n;3ppir:g the Iraffi'v; flow into a plurality of buckcls arid varying Lhe 
nan-bcr of backets uce<.)rd;ng to the ainoujU eif traUk: anil number of ticiws by breakirsg dovvn 
irafTic i.lt>\y into diilerent buckets and examintug si,atisties accu.nu-lated lor a parameter as.d a 
CiHTCsponding ihreshoKI in the buckei. 

The exa-niner coriteiids ihai Lyie teaches "Producing statistics ct;rTCspondini^ to. a 
para-neier of u-ailic riovv io trace the soiivcc oi'an attack ( l-ig 9. 9i)S-3iO; cui 2. lines 45-50; col 
7, liijcs 3-12; ivniilcrs arc usc-d in anaiyy.ini; and evaliiating traffic ilowr; to scrutinize iusspicitjas 
activity in as- attempt to ascenaii) the source of^jn attack)'" 

Appclkmi disagrees. Lyie neither describes nor suggests producing statistics 
cisrvespoiuiing to a parameter of traffic ilovv, Lyie merely uses sniffers, bat acefa-ding to L.yle. 
the sniffer "covititujously scans the data being received at various pe^rts ol' various nctsvork 
devicx^s. The snitters searcl^ foi data iiHiieating an actual or stispected attacl. as described ti5<)re 
tully bele-w, and provide iviibnnation Ci}ncerr!ing suspicious data to otiter rrKi-duiL-s vvithin the 
tracking system. :;s described t-5ore fully below." : l...yle Cad. 7, Liiie>; 7-l2|. 

SuilTcrs in L.ylc are t-xcd to cxajniriC data in packets that liave the characters sties of a 
known attack. Lyie dt.ses uot disclose the srdffers as collecting statistical irdonnatios: on rictwo'tk 
traffic seeii at iiodes. 
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The examiner argues thai l...y1e discJ^KSCs; '■Mappisig ihe traOiv Ikivv into a plur^^jiily oi 
buckets (col 7, lines 43-67; event data, which h defined as suspicious data is placed in a queue us 
a sci eo.n-cspo!?di:(g io a sii^glc incident) "' Appeilant contends that l..yle does not iJii^eioi^e Qij.s 
ieature uUbcr al Col .7. Hs-cs 43"67 or by the definition of everit dati?: "defir;ed as suspieious data 
IS piaccu in a qucvse as a set coiTcspijuding io a single incident", since claim 63 requires 
nuipping the traifie How into a ph.ndity ofbuekets, not events that correspond to iucideras. T1ie 
events are riot rrafllc ilow. 

The cxannner argues iliat Ly ie discloses: "Varying the number of buckets acct)rdjng to 
tJie airsount v\ trai lic anel ounibci- or' flows according to down tralS.ie iienv into dillerent buckets 
and cxan-ining statistics accimuiiaiai for a pararncter and a ce.rresponding threshold in the 
bucket (col 7, line 43 to eoi 8> line ;i; col 13, irncs 42-50 ... once an evc-iS (a set ofdata 
cori-espoiidisig to an attack ■ placed in the queue, other event data is gsoupcd or confDi.ned with 
existmg event data io associate relaieci eveuLs into a single inoidciit object. AJs>\ events that do 
nest bear sinhlaraies Oi's tiicir t;ice may aLsu be C(.>rnbin.cd or aggregated ba.sed npor;. everit rate ir.i a 
given s-cLwork nr suh-ncivvork. Thua varying the amount of eveni. data setN destined tor the 
analysis framework module). 

L. Vie iiicreiy teaches to associate related events. Lylc leaches: "The analysis frajyiework 
30S associates the everit data '.viii^ an everit sodtware object, as described .i'no.i"e h.iliy bekiw, and 
stores data relating to the event in an extent database 322, The analysis .(i'ariievvork 308 also 
deternrines wheiher ai- event is associated with an. existing event or .group of related everits, and 
associates related e\^cnts iiVio a sisigle nicidcnt software obieet. P.vevits that :irc riis? related to asiv 
oihscr events arc a:-<se:-ciatcd svitli a new incident objeci and may be laier grouped with 
suhseqnently-received event data thai is reiaied to the saojc ineideutf" i'l-yle col, 7, Line 6; to 
Col. 8 line 4] 

Fhus, Lyie does not describe \-arying iin^ number of buckets acci.^rding to ihe aoHHsni of 
irafhe arid number o.!' flows irtix.; differettt buckets and e.xantiidng staiisiics accLr-rsulaied U.sr a 
parameter and a corresponding thtTslivild in the bucket. 
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Accord-ngiy, since i..yie i^uls to describe.' all of ihe foaturt^a of ciaim C>3 iivranged as hi i.!u> 
claim, Lyie CLsmoi anliijipatc cUurn 63. 

T or li)c piirnr-scs of this appeal only clainis 64, 66, 68, 7 I and 75 sland or iali together, 
(^'kuni 64 is TC|)rcscv:t;^;.i.Ye of this group of ckiirns, 

Clairii 64 iurther linviis ciairr; 6?- avid redtes that: 'varying varies ihe Jiumbcr oi buckeLs 
so ihai the ruoniioiiSig device is not \'iil!Krrable lo DoS attaeks agaiiujt its own rciiourcc,';." 1 nis 
ii-unure is noi cJij^cribcd by L.yle. 

The txanviner argues thai: '^Xs to cianu 64, Lyie leaches die tiieiiiod oi eiairr: <':>3 vvlierein 
varying varies ihe iiiurjber of buckets so thai the monitoring device is noi vuinsjrable to DoS 
attocks against its own resources (col 19, lines 37-45; ihe protocol disclosed by Lyie teaches a 
strong proieciion agaUiSt deriiai of service aitacks as svcll as odier forms of attaeivs). 

At Col. IV, lines '.V7--45, Lyie discloses: ''In addition to this strong protection against dais 
denial of service attacks the communication proioeoi described above proiecty ihe ti^aeking 
systems from oilier types of attacks by requiring tiial the would be attacker hoU - k-uvw tiie 
eoniniU.nicaisor^ protocol and have the crypUsgraphie hash Uincdon being used ,as part ol. tiu; 
cojrnviuriicain.rn pnit-:..;c(>l in the tracking systen.is insiailed in the pardcular adnnPiisirativc 
domain,'" 

Movveve.r, as descnbed by l..ylc, it is not die everii schen-se thai prc-tscis the t.:ack.ir:g 
systera fnsm attacks but instead it is trjc: ''In addition to this stron;? protection against this denial 
of service attacks the ctH-uniirdcaiion protocol described rtbt>s e pantcis the tracking systems 
iron- other types ol aitacks by requiring thai the v.x>\M be attacker both kncnv the Ci-irnmunicaiicfn 
protocol and have tl-se cj-y]?t,ograpiiic liasb function bcnig used us pari od the commuriicatiou 
protocol" [Lyie, col. 19, lines 38-45] 

Accordingiy, sivicc Lyie Ikils to describe ail of the features of ciann 64 arranged as in the 
claim, Lyie cannot anticipate claim 64. 
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llvi'- append only cKuins 65 and 72 stand or fail togeihser. Claiin 65 is 



repre^cjvuitive ofU\l-i grr.Gp iij'ciuims. 

Claim 65 fialhcr iiirsit? claini 63 and recites t!ia! varying the nuiriber of buckets •ncludes 
comparing the nunibcr ofbiitkels i.o a thresht)ki number uf buckets and dcii-'rrnining whether the 
number of buck els should be divided imo more buckets or combined into fewer buckets based on 
coinparivig the viUinber of huclv^ts to ti)C rhrcshold arid as {he stuui ber of bucket^- changes, the 
buckets have vaiues derived ffoju the buckets prior to ihe change. 

The e.xanhiier contcndi^ that; 



As tii ciasni i>5, l.yse ti'iichti, fhe iisetiKxi (t! thUn 6,1 ^vhereijj vaivtiig the- 
ijuriibi^r of bsjck>.'is comprises; eompiiviiig '.ha nunihi r of bijckcts to a thresUoki 
siijsjjSicr hutSiet;;, di'-e* wjitihtir the (iumber orEsutkets shouu; b=: rfivSikd 

!«■{> mttjc h«*:ken comhiised itiN* i't-wer bucket* hase<! oii coiftf>;i( i»<< th^ siumbtv 

hutkefii tsio ihrt'skoid Ami as ihe Hfmibcr of btfcktss ctia«;>es, the btickt'is 
vahK's derived >>(>■« -h-: liuekcts prior iv tiie t'fiafi!>v {cut 7, sines (.u C5>! S, ih-.'; M: s 
siists^ists. ihiiabuio h v-'JiifttJlief! iiithKJiiiU a fhrtshoid baseri (.ipon incifkMii ristt iu 
diriersnii'c iis j.nii! ^vSietfjor fsr not (he evfus (!;it;t set iihatiid In; eotntiinird isr spii!. 
0»<,f s siecis!"!; is rfisifk, v;jri!ii>!i;s within rtii.- <;\i:nt iiaia st-'S esseafiaiiy reEiisir! tht 



I... vie di;es not dcserihe that the nu-nber of buckets chaiiges based on a Ci.;inpui ison to u 
threshoid. The cxaujiner argues thai; (col 7, Hjics 43 to eoi 8, iiiie 33; a statistics database is 
cojisuhed including a fhrcshold based itpon itwidcni rate to deternnne tn par* Vshetiicr or not die 
event data s^si should be combined or split. (.')ncc a deeii^ion is rriadc, variabks v?ithin the event 
data set essentially re-nain the sanic)." Ly!e has m> such teaching. 

i.yle does ;H;t describe a tiu-cshoid based on iucideiu rate atid does f\oi detcnrdiie whether 
event data shoisid be eoinbtncii (>r split based on. a thresht.)kl. leather., L.y1e describes: "O.fic -..d" die 
looi.^ used bv analysis Itaniework 30B svi dcteirniriiiig whether aii evcTii is associaied wit)! one or 
fTiore otiier eve;-;ts is a >?t.inisties database 324. I he ?~tatistic3 datab.ase 324 stcires the average 
incident i-ate ofeaeli i^ub-rsciwork within the network served by the tracjksng system arid a tirst- 
i.^rslcr variance oft.be a^•■erage iiicidesit rate foi' ail netwoixs wltb ati abt.ivc-average iticldeni rate. 
"Use baseline i-iCidetu rate and the variance are used tor ail networks with an average o-r below- 
average incident rate/' 
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i .yk' describes th;u; ''''riie analysis frafncxvork 508 alsc* Ci)nriccis to nolicv daiabaj^e 326, 
The poiicy dat.ab;5,se 326 is used lo ^rore ialannatitm cojicenuvig how ccnuiii types of events and 
inciderUs siu>uid be processed by the analysis {rarai--W(.;rk, hicluding tfic respoi-^siv- adsorb, ifasiy., 
U) be taken by the ai-aiysis Iranieworlv. i-'or cxanipie, .for a pariicular tyi^e of attack or su^speclci! 
attack tbe p(>licy dabbasc .3.26 iviay indicate that the attack is to be logged but otiienvise 
igriofcd." i Lyle, col. 8, lines i 5-221 

■i"hc.:-e.ibre aecctrdiag to L,ylc, the ineidenoe rate is used to process evejits. Lyk does not 
.speciliealiy describe ihiat tlie incidence rate corresporsda to a ib.reshoid nuniher of buckets as in 
clains 1 , but rather Oi.srrcspoisd-J to tlie rate at which inciderits occur iri a {^elwork or ,sLib-neiwork. 
rhereft>ay l..yie does not dcseribe dcie.rrr!Uii:.ig wh.ether Uie r)i5niber<>rbuekeLs should be d.ivided 
ird<> more buckets or C!;>n-!bincd into Icvver buckets ba,sed i.in eo.aiparir?g the rjuiriber of iiucketr^ to 
the threshold, Lyle also docs not deserlbe that a,s the nuniher of buckets chiuyges, the buckets 
have \alue,s derived frorr: the buckets prior to viu; change. 

Clai n-js 67 ar5d,74 

For the pu.rposes of this ,appeai only, claims 67 and 74 stand or .sail together. CIai.n- 67 is 
represeiuatisc of dn.s group ofelairns. 

Claiiri 6'.- furtlu-r biTiits elain-s 63 \\here cosnparing statistic values iacludes accunudat.i.ng 
statistic values ... aSid comparing the values ... to thrcshtdds that depend on tlie .nunH.>er ot 
buckets. Lyle vails io .suggest this feaiurc. in [..vie the vvuinbev of events is .nest based 
aecuvnuiating st.fii;sii<.; values from the packet--^ or coniparing the values accurnuialed in the 
bvickets. The exa.nrincr's reasoning that 'Xeol 7, hnes 3-20 and 43-67; sniffers are utilized in 
capttiring packet content a.s v,-cll as data related to packets, 'I hereafier, die data reouiring funh.cr 
analysis and. or evaiuatn.rf5 is discerned and stored and placed into a queue for further scrutiny by 
the tracking system).'* fails to address the claimed limitation. 
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3. Ciiums 3 ■■21, 50-62. 69, and 76-77 arc 
pak'rslabfe over I /yle iii view of I!su at »t. 

Claims 1 and 7 

For the p-ui])oses of this appL-al orjiy, claims 1 ;ind 7 stand or fail ix.sgether. Chum I 
rcprc^CiUaSivc of i.hi;s group of ciaiiViS. 

(^Lum J caOs ii iTKichinc in-ipk'tnentcd method ui'i^^^ Oosv , Cl^an; i 

includes the feaiiircs of producisig .siatistics corrcj^ponding to a pararnctcr rd trailk: U'.jw ti) iracL- 
th:e sourci.- of an attack, . . . mapping the trafhc flow into a pluraSity oi'biickcJs by applying, a .h:i.sh 
fLjncti(>a ■-i(h)'' to the p^rarviclcr of the Iraf lic How tt.) outpu* tin mtcger corfcsponding to one oi' 
die buckels. aecu-nukili-ig statistics from thti packets; arid coniparing the nenibcr of hisokels to a 
direshoid. The claii-i also Uiehides dctennining Vvhciher the number of buckets ;>hotsld be 
divided into more buckets i sr co.n"!bined into fewer buckets based or. comparing the nusribc]- of 
buckets to the threshold. 

The cxairdner contcn4,ls with rcspcet to* dicse ftatufCc^ that Lyle teaches- "i^roducing 
statistics corrcypoTKiing to a pannneter oftraftk flow to trace the soluxc of an attack ij'ig 9, v'lsS- 
310; eol 2, hsies 4.5-5(h ced 7, lines 3-12; Siiiffers are used i.n analyzing arid u-v aKiatii-g traffic 
\\ovy< to scrutirjize suspicious activily if- ajt atteivipt to asccnain the source of an attack) ... 

I'or ihe reasons discisssed above iliis feature is not taught by Lyl- and Mso does noi ■-.are 
thtc deiicieneica i.n L.yic. Moreover, Lyic -J-sc? noi dpecdkxdiy suggest producing statistics 
corrc\spo>nding to u parameter (>f traffic flow to trace the source of an attack, . . Accordingly to 

Th:: ;;rAi'h-r !s;odiik' «i;*y -Aha seareJi for uiiioi- ififorj-iiatioti, c'Siu-s., <)t ^hMmurci 
prtviifusij a^:soti;it.jii --^Uh iiif aciis ofi the lietnot k bcinsj sscoi^f !<■>(! ssv Siiher 
!)S-{^v<i!-ks. i'vv e\amj.>!f, tSu- sniifof tntsrfiiU^ may iik-titity aii rtfessyi>es seri! 
(.■! a Sis.i oi s«sji!C((i«s sdLifiJi: arfdrMSfs, or ttie.ssiij>fs alttivijjtifisj; !o itvwss s rsrtjft 
svsitni vvitiiii! i.h<; siiMsvork or sub^jif!^\')rK ussociafftJ Uit {riickii?^ .systvm vii; st 
scfvivc Siijfiufi to bi.' %ii;ae!-ahU\ Huch as tcioet, in tnessiiges cofitainifig strings 
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Thus, Lyic dirscloycs thai fhe siviiier h>oks for string.s ofdata present in packt'-s or 
messages, and does not apcwlkally suggest producing statistics corresponding to a parameter of 
traffic How, Lyic slirther discusses that; 

hi nan tniihwiimvts!, shiiisticaS inioriiiafion iVosn ihi! siiifisiits djit.-i biixi.' ;s usuii 
io d<;{ir! i«infc ifUn.' lau- of cofiaid typtii of mtisages, as doscrih^'d iibifve s^xc^'edi ,i 
!>«i! iT*ii! t>.>vcl hi iSiio emSKKiiriRTit, tht' norma) k'vol or rase of t iirSaiK iypcs of 
ssH-iSiJgi; is ps (ii>r«s;^s)>t^iS into iht siisfiV^r m<f«.i»le p-M i ol'tht cosii'ijsusafi-ja prtice.is, 
sfsii ihi' ?i!)(iftr tnodiiS.:; idtiitifies as siispU-ioifS: :in\ serU-s tji'iSata sisekeU ihm v/Nceetf 
ihs rjstes esi aSjiisised at ttse tsHie <tl' cfWiSigstratifits 

Lyic describes the sUitisiicijl infc>rrn;5iion as norma] level or rate of certain types of 
messages. ThuB, Lyic io. no sense suggests much less describes producing stirdsiics 
corresponding to uparatvieicr of traftic How, since Lyie n-iti-ely examines patterns in tiie traftlc 
flow not statistics on traffic flow. 

More<>ver, Lyie does nof. suggest niappiTig the traffu-: How into a plurality buckets, Tlic 
e.xansiner comcnds that-. ''Mapping the iraf-Jic t1o\v into a plurality of buckets (col 7. lines 43-67; 
t-vem data, which is dctnscd as suspicious tiata is placed in a queue as a scf. corresp-onding to a 
s.ingle incidci'st)." i.ivciii data hi.?v.-ever is acilher mapped into buckets oor docs the event data 
corrcspoixi t-:..; the traffic fiov\'. 

l,yk: does not suggest; ^'.^ceumahanig statistics from the packeis and con- paring the 
nurabcr oi buci-.fts a ihreshohl" whetlier at col 7, lines 32-42 aodi oA 8, lines 6-14; or 
elscwlu-re. The examiner argues that; "iuany threshoius, such as ineiderit rate, pr-ccon figured 
criit-ria. tiinestaiups. etc. are cor:Sid'crc.d in determining the significance or impi-nance of a 
pc.issibic attack."" Whether d.iat cciniention is correci or not, die co.ntenl.i(.;-n dcses not address ilic 
clinmod ieatoros nan.ieiy aeaunuiaiiug .^tatisiica from tiic packeis and comparing the nmnber of 
buckets. 

As for il'C icatureof; '■d-stcnninini;, wliether die number of buekets should he divide-d ■-'Mo 
n-ore buckets or combined ;mo. lewer buckets based <.rn ■;o:-npari.ng die munber of bueket.s to she 
ihi-csh'..;-id. " the cxami-icr rcli-cs on col "h hue 43 to col 8, livic 3; col 13, lines 42-5t*; and argues 
thai; ■\>ace a,n event (a set of data corresponding to an attack) is piaoed in the queue, oiher ev-.^m 
data is grouped or combiriCii sviih e.Kisiing event data to as.sociate relaied eee.nis into a sirigle 
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inuidcnt object. Aiso, evcnls that do noi bear simiiar'Uis.-^ on thcu' lace ciay aU;o bs ib nof o' 
^>^i^d upoji e^■ent■ rale m a given Dciwork or sub-rjttwod... Thus \ ar>-T?-j ■ s v > nait < 
s.'vs.:nt data set?^; dcstuied for the analysis iVameVv-ork n^odule)." 

The e,\ami5it.T';^ eharacrer.iz;nior: does noi address the Icaiu.re of Use ckiun, ' -mlU ^'s . n 
.number of hucket!-- are di\-ided i;-sio more bceki^s; or Cv;mbincd into i'evser buckets h ^^o. o'j 
Ciimparing the r.uniber of buekets to the thrcivhoid. While indeed IMc ili.sch>8es a s i.. :kd 
single even; object, thai, single incident object associates other event objef-ts. I .yit < <>eN -^'-i 
descriiie or .suggt-vi U5at ihe number of objects are divided into more i>bjccts or coru\tK-( \ \ 
fewer i.jbjccis. Ratijier, L.yie clearly disek,'.scs that the cvciit ohiccLs arc rnai.ntained i .re los^ 
database. Thas, tlic .^irtgle event object d(^es nc.st combine the objects but rather i\ \ i sa v 
tbiC objeets icsr later analssis or retrieval 

Claim 1 also requires that the buckets are divided or combiried ba^e on a e^ ^'pan-^o i ^ 
the threshold, Lyie does .not suggest that the single incident c>bieet is tonned- based on 
convparing the rivi-rsber of buekets to a tlireslioki such as the incide-ice rate 

The examiner ackru.ivvleilges that "Lyie docs not e.xpheitly indicate the use ol a h;ic-!i 
.hji-etion ix> oiixpux an inu-ger c(>rrespond;ng lo one the buckets.", and thu.^ relief i,>a lisu to 
teach "using a hash to ouipui an integer con-esponding to the location of a location of a unique 
bucket identilicr tsee "f1g eoi 4, lines 26- .^^8; col S, lines i S-2.>).''" 

The cxandner argncs that: 

U. -stouki hiive 5)oen obvifsus (o mu- \'.Hb orrfi^ary sklli in the as i a; ihf fSijif Use 
siJvfsjtioH ^w^s msdv !« co(!>tti!ie tite dj>ici<i5.«re oi'Lyic >v!tii (ht hiisSiirii^ tofhHkj;i?s is- 
SU« ti- niuketiK- iyilwi rssoft.- tiTicst-ut. Using the hiistiiisg ti:Lhiii<{!)(\ vvhict^ 

i\isi (jiiSpjit ifif i:j»iqiie baiket kU;««jfier <!U(ckl\. Bycayse l.yia aiso us.cs 
aiktrs.-sM^s io ri:l;iti; eve-jS dsifsi ta aggrcgak- tvenis ififsi a sisigic iisoitiesii (fbjeet, iht; 

Appiicasn. disagrees. l isu describes that: 

rSii; ro!i«!i<-; kskimiatiofi, CdmprUing ihe soifsce address tOi &ini ihe 
«ii?s!ii!at!<iH itd(ir«.s i;; tta-n obiaiist-d hum thti esjjtfjred daiu psickt'S UK!. 
Bvio si^t ;»iorji)fiiktsj fji ftif i-.apt«»«! rfjiti" {>tick(;t idO H&ha pririVrabiy ohtakiwi 
2'S6. This irikirmiitiffji is fhen med tottt'jtt; or stp-Jaic 208 iticord.f auyml in ihs 
!)«'im>ry oi' » convcfitiijaai tovjipyftr u^rfi to track the- iinifUitu and d/.<.> ol {i:.it;i 
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!s-£if1k- i!;i^fc!!!5« iiii't ami (ju; oi' sfii'<:i)ii; mules on iiscr L.4N, and aniotsns arxi si/f 
»: diJta ir^ifT!!'. iravejin" between (n o hikK's oh i:tie { 



i'iij. .?> shows a row 3*M! i» ssi entmpinrv firsi iahk- which iiiJiKains i!iffj!-!vi».tk>n 
co-icei nitts; the >i!n(;t!i;t anil si/.i: of daia (raveling iiuo and out of a spftiilc «<KSfc or ;5 
LA^;. SsieciiieaSiv, tisch row 300 from the tiibie b itidirXtH* ijy s (iotk^ sth^rsss md 



lisu is clearly dirccicl to a iabic stored ii-i memory and as such require::^ tl^e use of a 
technique to di^iribute entries, e.g., a hfiaii function, Lyle (ci the other brnd is directed to an 
arrangemera -n whieii t.he ii-scixleut olyiects arc stored in a daiabase, ihiis apparevitly being no sucl' 
need tor a distrihuii<>n of eriiries. U would not be suggested to mcidify l..yio to hash tr;e addresses 
01 the critries, since [..yle lises a database, huleed, Msu dr;es no5. describe '\ . . snapping ikc tnd.nc 
t]fr\\- into a plurality <.?r biickets by applying a basli functioii "tthy" io the paran^ercr of the tratne 
ili.jw i-.i output ars integer ct>rrespoiuiing h} one of the buekets/' in any evesvi. 

Indeed, the examiner does recogni/:e tiiat.: ''Lyie does teacii li^e u^se of b=ash Idoetioris in a 
unique way to ei'ficienily eoiTirnurdcate vv^lh the systenj (see col 1^, lims 1 i"36), ...'^ fifnvover, 
appeliaji- contcsid.s that since i...yie already recogtiixed 'iiasbing" it is vio?. .suggested io combine 
[..ylc wit)^; llsu to niup the traiiic i1o\v iniv) a niuraliiy of buckcis, whscb neither Lyie nor i-isu 
slKnv, by apj>ly;ng die hasli tlinctior? to flie paianscveT o^f the trafik tlosv to (sulnut. integer 
corrcspi;>nding to one or the buckets, becaissc that vvouid not have advantaged die arrangement 
diselosed and suggested by Lyic. 

Aeeordingiy enc cd' o-rdinary skill in du* art would not be nuvdvated ii; eonfoine kyle with 
Msii and the combination, even ii suggest ed does nt.>i teach all oftbe features of .'Kpphcant's 
claims. .Accordingly, l isu adds no further teachings to cure (he deficiencies in Lyk aixl ^herctbrc 
the confninat.ic;n lai.i:.^ io suggesi claim I. 



Claim 2 limits claim 1 and recites that the buckets are storage areas in meiriory. Lyie 
dcai^ with a, dt-tabase an.d does not specifieally discuss buckets as si^iiage areas iri memory. 
While events may reside in memory, temporarily they are ultimately logged into the database 



Claim ^ 
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iuuyht bs- Lvic. 1 isii, whicli docs ciiscusii rneniory, would not cure the dcHcicucies of [.yle, sis-ce 
it should ciiangt; ihc priricipal (>r operation of [.>-ic and is therefore not. .NUggcstcd. 

Claim 3 further lirniis claim 1 by recitaig thai as iiic numbe.r ol' buckets churjgey, ibt,' 
bLickcts have values derived .froi-s? the buckets prior tv ihc cliangc. Claim : reeiies i.l-e feature of 
dctern-iriing whcihser the fuiiubcv of biicket.3 tsl^OLjId be div ided inio more bucks^^is or confruiK-d 
iute lewer buckils ba.sed on i-ornparirig the number oFbuekets lo t,lie thresl-old. .As diseussed 
abo ve, the eou;bin;vdoT) of revere; \ces do noi suggest thoi the number of baekcts changes based on 
a cosriparison to a du'csbvild. 

Appeilani dii^ciisstjs isi the speeiii cation, (page 14, brsc 27) thai: 

The moniiOiing proecss 3^ takes that bucket, e.g., B; und 
divides !.hat bucket B.i into .some other number M of nenv buckets 
B,i - B;m. Each of tbe nt^ buckets Bii ■■ B,.^< cniU-ains vaU-es 
appropriately derived liorn the ongi rial bucket Bj. 

Appellant eontciui« that Lyle does not teach that as the tiurnber o.r buckets ehauges, iiie 
buckets hiXx: vaiiits derived iVoui the buckets pnor To change svhcther at cot In .:^9~67 o.r 
elsewhere, since the single incident tjbjecl di>es not combine events but increly associates events, 
ajui thus the single in.cidcnt object does not derived data from die cveras, but nKTcby- has du' data 
frcivn the events associated. 

Appellant also describes {page 14, Une 31) thai; 

Also, the hush function is extojided t(j map to N-t-M-} 

-jv-->N-i-M- j " valises, rather than the r>riginal N vahses. 

j ..:\ppcUar.t's spcciiicai.ton page 14, iiuc 3 1 ti,: page 1.5, line 2] 

The examiner contends that: "As to claim 4. Lyle and Hsu teach the method claim oi' 
cbim i wiicrein the hash nau don adapts lo rnap to the new nusrjber oi'btsckeLv, as the nevv' 
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raisnbtr i)i biivkct.s changes (co! 4, lines 26-38; the buckei idernifier is uraquc mid il a bucket u- 
cUTriinaied, so is "Us c•:..^^■c■^pofld.iflg ideniiiler. If, on the other h.a,nd, a bucket is added, a unique 
i(leniifjc;;i:= created)." 

;\s dii^evussed ab(<\'e i]-c eonibijiatioi) of Lyic ar-d fisu is not suggesied and thus tine 
cffncept ofdividing buckets, and that tiie hu'.;b functior: adapts io rnap to ilse new number of 
buckets, :i& the new nunibCi ofbuckets changes, is nm suggested. 

Ksu at it;e cited pti^sfigo leaciK-s opcraticn of" a table thai conceras inb.^nijution pertai-;ing 
[Li tninic into or oiii of a node, liowever, Msu does not disclose a reet.ird ide.nti.!ie.r at that 
Passage, s isi; .is devoid of any ae:ggestior; (if a hivih fuoction that adapts iO uMxp to the r.ew 
nuntber (>f bueketa, a,s the tk-v nainbe;- of buckets changes. Lyie al>)0 does not suggest a hash 
funcdoa tliat adapts based on changes m the number of buckets. 

Vls'uvi 5 idnbtcr Inrdts cia;ni i by eon-snanng the vaiue accumulated in the bucket to a 
threshiold that depends on tlie number of buckets. 
Ilic cxaniisiseT' contemds that 

so i-'isim S, Lyie seac-hcs the inetisfid of i-!s(i« i, v»(!fiti« v')f« pa !!«-;> ^tatistk- 
v.jisjcs c«!ii{H';s^s a«i;i)f;uilaiing s^jitisiif vaiues from the paikois ansi (.f.iiiipiB iff;' the 
Yai«(.Si iicc«!«ijiaic'<! tin- ijiicktis t» tiuc^fioUls that ffeptikf os! tfie ff«j«!wr (ii 
biKiu-t.s, tv'oi 7, iim-i .■'■20 a-Ki 43-67: s.(ijficri are i(!ili/.eJ in cajJtufiiia, patket t-«j!tt!U 
as <vcii as data lesafeci ti' vtaeki-ts. Iher efifter, rht tiahi mpsiring fui ther ij>Jciiyi.s-i 
;i!j«j.''(jr cvahiHtfDfi is (fs'^cernt'd storod and jjUtced iijio a isuiisie foe furiher 
swiaisisy by the srackisig system). 

Appellant disjigrcc?. As discussed above kyle does not suggest the features of claim 1 
and thiks does Jic-i suggest "eoraparing the vduc aeeumulated in the bucket to a tivre.sht.ikl ti^at 
depends on the number of beeketsf" Lyie teaches to eveiits and to asse>cialc events bui n\ no 
sense does Lyle seggest compare t)-sc value aeeiunuiated in ti-ic bucket to a thresbokl that 
depends tn- the !ia?rii)er of buckets. 



Appii; 



Filed : Augiisi 16 



CMm.& 

Cliiim 6 iimiis ihc nietbod of claim 1 by rccitisig that the parameter i-^ the count oi ho\v 
many packets a chiia cojlccU;r or gateway exavnines. Lyic wbeihcr dt col. 7, lintr^ 3-2{; or coL 7. 
iiaes 43-67 mils to suggest this feature. Lyic cxantinea packets for strings or paftents. Ii is not 
seen where Lyic rrjainiains any counis. 

(/Iain- S further limits claim 1 and requires ihat iiie hash RincLion chatsges periodically i.i 
a randomly, secret viKjjiner so thai packets are reassigrieu to tiiffercni buckets. 

,\s !.t.>chi(>« S, S.yse it-scht's tiie ruetiuKi oi ciaif-j 5 vvhcreif! tin- hash fsr-^i-ii-SH 
iSiati^trs, perifKiicai-y in a t;SRiU>i«[y secret maniiet so iinn fsyekcfs as i; reassij'jsed ta 

Ly'ie's disciission of tl-e hash fusution and a randojn hash vtduc pertam to the 
c<.rn;irsuvvicaiiv>:i protocol, not to the features tliat the e.xaniisier relies on to suggest tl-e fe.:uures o 
claim i , So aiUuiugh Lyic does chsciose a btish function and a random fusniber to use as a seed, 
Lyic does not disclose to apply fhul to reassignment of packets to diffcreiv; buckets in a 
randomly, secret manner. 

Chxh)) V, rurduT hndts clain? 1, and requires tiiat the variable number of buckets 
dyrianneally adjusts as the air50uni (..d iraific and number of Ih^ws monitored so that the 
rnoni-orrng device is not sajhierahle to a denial of service attack agaivist its own rcsi.iurees. This 
leature is neither described -lor suggest by Lyie whether at ct.ik '9, sines 37-4.S -sr elsevvbt-re. 
While, tlie e^ltft.tfVltlt.tiV.illh^.ri?^. pt'otoco) disclosed by [.vie may be a strong protect;oi^ against other 
lonris of attack. L.yle docs ri<..:'t diseb)se it us effective agarnst denial (vf sers iee attacks. 
Mr;rcover. tbc conVin-unicaiii.>r!S pro•toec^l is not what lite examiner uses iri the rejectsois of ela.irn 
i^rid titus the e.;>!r!rnuuication protocol fcaiure of Lyie lias no relevance to claisn V. since it is not 
seen Hiat d.,t 0^ ent objects widcb tlie examiner does reSy on provide the fanedi.rn or the features 
ot clarni 9. 
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vM;ijrn li) depends irnni claim : and rsjcilcs that the variable number of buckets; enkicniiy 
h!e-!t;rie.< die source or soiirccs of attack by breaking down iniiTsc imo dsncrent buckets and 
e^run-tsing statistic? accurnulalcd tor a paraineter and a corrcsixsndiiig ilL';esboid in cacb bucket. 

T'he exaniincr contcrKls that: 

•hi; s!f!.irt(: or soiJvcc< sitiick !>y i)!6«MiJg down jraffk i»i<) difiweo? !>iick«.!s Ami 

b«ck<M !coi iiftcs tbo event akni^; >vilh the {JoSicy asssgntii ior !h;i« 

evtjjt is uiiii ii! sriickhi" (ht aiiat h bjck t(i its (ji igia, the iocidftii t(bjeci so «h.;ch 
■ hv i'voiii ivss. dcsii>nati;d « c«ij<l in fact irfofitify the soi)rci> of flu.' attin.k). 

I..ylc fails io suggest to break traffic dow!\ into different buckets. Riitlier, i..yle tracks 
vsC tK and as.;^oci;uc3 events iuio iiicident objects, i.ylf.' Ik-SS no teachings that si^ggest cxanviniug 
■.\ tisu^.-. accnrnulaicd for a parameter and a corresponding thrcshoid In each: backet. Lyic 
.Ciuccs , icidcnt rates, fisiwcs cr, shci^c tcachifigs arc ni.it a vanablc nanibcr of buckets that 
vtr^-'trtly identifies the ~?oL!rce or sourees of attack by breaking down t.raffsc i,nto different 

' < ind exannjiing statistics accujT.iuhried for a paransctcr artd a c\.;rTCSpondi.ng Uivcshold irj 
c. k-'s I \Aet:. 

Ciium \ \ further hmirs the metltod oi'claini 1 feaiariug thai the traffsc is snonitorcd ai 
nuih.rpie ievels of gratv.jlarity. fro-n aggregate to iiuiividual fiovvs. The examiner contends thai. 
Lylcs teachn^s.'S at col 7, hncs 3 to col 8, hine 5."?: "iridividual packets to events to incident objcct.s 
are asialy/cd and evaluated at ttunierf.HJS times during processing of given n-itbrrnaiionf ' 
correspond io nk.irvitoring tranlt at multiple levek* of granularity, irofn aggregate to individual 
tlowLs. H(.>\vcver ^Appellant riotes tliat io the extent thai events and ineidervt oiyiects co.rrcs.pi..ntd to 
■ttuUipic ievcls of granuiarity, those features of l. vie do nc-i ccrrcspond to iTton;toring the trattle 
at multiple levels of granularit.y,from aggregate to individual flows. 



Clddm 12 ibrilKT the .method of eiaim 1 to Vvhcrc the inelhod h applied to 
nioniioriag of TC^P packci rijtsos ;md rcprcsscir {rall-ic. I'hc exarnirscr argues thai Lyk' U'aches 
tlvis at "i'co'i 7 line ?y us col 8, iiiic 4; traftlc trorn numerous types of networks iiicludiug icrvip 
based notwr.rks is used and iiurnerous vaiucs included in the statistics database are disclosed.)," 

Appcliam disagrees. Ai no point in Lyie gt-p.eraiiy or at the cited passage does Lyle 
discio.se ' rrsonitontig i.ii' Tl'l^ packet mtio.j and j-epressor i.ramc." L.yle monitors evont;^ and 
discloses thai; "When irif(.n-5r:atii..in related to art jictuai or suspected attack is received by the 
bandoff receiver 302 or identified by the sniffer module 304, the relevant information is provided 
to an cvcrii manager niodulc 306. TUe event manager 3i.)6 receives the suspicious daiu, referred 
to hcrcLn as "evcui'' data., places ii in a queue, and provides daia to the analysis fran-cvv c.srii. 
rnoiiuie i?08 lor pri.icessirjg, oj-e event at a time, at predeicrmfned intervals." rhas, r.yle neither 
suggests to process stadsdcai info.rnta!.ion io deiennine the source of an attack nor tijc sy.K\:ific 
statistical in.[b.rniation of clair.0 12, biit ratlier only rnorJtors events which correspond to a?- aeiual 
or suspected attack. 

(lain; 13 iisrther limits the rnciltod -..d'elaint 1 by reciting that the Uireshoid is a first 
iJireahokl and tite nteth<,>d incUsdes comparing aceitnatlated statistic va!>.ies fn>m the buckets to 
second threshold values to determiBe that an event is of sigrsitlcatice, 

■file e.Kansirser cc-niends that: "..As to claifn 13. Lyie teaches the snetbcid^ of claisn 1 wherein 
further comprising comparing accuniulaied stadstic values .fro.ri- the bu.ckets to second tlireshoid 
values io delerinine that an event is of significavicc (ct.ii 7. lines 32-42 and col 3, hoes 0-1-+: many 
thresholds, siicii as incident rale, precon figured criteria.. iimcstaiYips, etc. are considered in 
determining the sigitificance or i.mportance of a po,ssiblc attack)." 

While kyie teaches "baseline incident rate and a llrst ordcj- variance'' this itach^ing does 
nc*t suggest the hrst tln.-esho!d as discussed above, l lowever, claim 1 3 funher requires that the 
second threshold is used with the aeeurnuialed statistica] values trofii the buckets to deternnne 
that the evt-nt is of signitkartce. W'hile. the clanned second threshold is closer to the disclo,sed 



baseline incidciii rale of Lyic, u Htxi) distinguishes over I..ylc, since Lyie does nut leach thai ihe 
bascluie incidc::! ruic is conipared agains? accuniulatcd siafistic valut-y from die buckets, biis. 
iruUi-ad used io compiirc the number oi iiioideats of the event in a network. I li-wevcr, In no 
event dr-es hylc disclose, ihe lirsi and ihe second claimed th re^^h.: .ids, as rtxjiiircd by claim 1 3 

Regardiiig (/hiints 14-21, 50-62 and 76-77 she examisier coi-steiided ihai they were: 
"essentially the corapuier program [>roduci and data ix.illecior tor the al>ove-rneni iorsed n-eshoci 
ch^nns and are titus rcjcetetl i;ndcr svrriilar rationale,'' 

£|yin7i^J..4. Ji....U^..~.! . >3. 54. S". 60, 61, 62. 77 

For the purposes of thii^ appea) only, eiain\s 14. IS, IS?, 21. 5?. 54, ,>7, 60, 6L 62, 77 
stand or fail if-gdber. Claia^ 14 is representative of this group of eiainrs. 

Claim 14 recites insiruetions to map, aceunvaiaie, eomjxare and adjust, ni an analogous 
PiUsrs.iier a,s the Cf>rTesponding features of elaifri i. Claim 14 doi's nfit recite ths leaiure of 
producing siatisues, as in claim i. Ckuvn 14 disiingaisl^es over the art s.uice the cited relcrcnces 
whether taken separately (vr in combination fail to suggest instructions to map the traffic floxv 
into a plurality of buckets by applying a hash fonction to the parameter of ihe traffic flow to 
outptjt an uticger ccrrrcsponding io cine of the buckeis." As argucil above, event data however is 
■jeither mapped into buckets n(>r does ihe eveni data correspoiui to ihe traffic IIcav 

Claim 14 also dii-n.inguislica, since L.yie does not suggest iv:tsh-uction.s to aceu.rnul;Ue 
statistics hon\ the packets or instructions to compare the number of huekeus to a threshold, 
vvbctber at col 7, lines .52-42 and col 8, lines 6-14; or elsewik^re. llie exa.miner argues for claiHi 
1 triat: ">nany thresluikis, such as iircideni rale, preconhgiircd eritena, lin'sestanips, etc, are 
considered in deteariinirig the sigradcance or importance ofa possible attack,'' VVhelher ti^.at 
contention is cci-rcct c^r rscit, tb:C eontentio-n does not address the claimed icalures trarncly 
accumulating stadsties fi (;n-! ihe packers and eoniparirig ihe number of backets. 

.As ibr the feature of instruction,^ to detcrinine whetlit-r ilie nunfDer of buckets sliould be 
divided into more biicke-s 'or cfinibi-icd into tes\-er buckets based on comptuirig tlic neimbe!' of 
buckets to the tlireshold.", this feature is not taught by {..vie vvhetlter at c(il 7, Line 43 io col S, lii'se 
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coi i. hne^ 42-50 or eisevvhere. The examiner's cbaocteriza-ion aiid rchance on events docs 
!ioi address the feaiurc that the nunn.>er of buckeis arc divided into more buckets or combiricd 
into fewer buekcts based ^>ii compimug Ihe nuinber ofbuckets to die direshoki. Wliile Lyle 
discloses a so-called single even? objeet, ihat. single incident object assoeiaies other event 
ob;eu:ts. Lyk does not dc^uvribe or suggest itu.tt !.hc number ofobjeets are d;v-ded into more 
objects or eovrihiiied into fewer objees.s Rather, l,..ySe clearly discloses duo. die cveni. objeet^i arc 
ni.'.ii.ntair?ed isi the k>g database. I'hus, the j^iriglc event ohleci d(>ea n(>t eornbine the objceis bui. 
rather simply associates die objects tor later analysis or retnevai. 

("■laim 1-4 also recii.nrcs iliat die buckets are divided or combined ba.5e or- a comparison to 
the threshold. I.yle does not suggest that the single incidcjit obieet. is fb.rmed based i>n 
comparing the number of buckets to a ihrcshold such as the .nicidericc rate. 

rhe e.Kurniner acknowletlges that '"Lylc does not e.xpheitly indicate the use of a hash 
function to output an integer corresponding to one of the buckets.", and thm relies on Hsu to 
teach ''visuig a liash to oiitpiit an iiUegcr corresponding to the locatit.in of a location ova unique 
bucket identdier(sce fig 8, col 4. hncs 26-.>8; col 5, lines 18-23);' 

As argued above, llsi; id clearly directed to a table stored in. menn^ry and as such requires 
the use ofa tecimique to distribute entries, e.g., a hash function. Lyie on the other liand -s 
directed to an anangeinem in which the rncident t.>bietts are stored in a database, dins apparently 
being no such need f(>r a distribution of entries, h would not be .suggested to modify f.yie to 
hash die addresses of the entries., since Lyie uses the database. 

indeed, die e.Karniner does recognize that: ■I.yle does leach the use o.( ha^ii fuv.tctio;is in a 
unique way to ofdciontly comnurnieate with ihe system (see col 1 9., lines ; 1-.36}. , . Movvever, 
appedant ceuitends that since i..yle recognized 'l-sashing'" it is not suggested to combine Lyle s-vlih 
Hsu to map tlie traffjc llo^v into a pluralit)' of buckets by applying the hash llincliou to the 
para.nicter of tlie tral tie ilosv ui c>'jLpui an integer corresponding to one of the buckets, because 
that w(vaid not ha\-c advantaged the arrangetnerit disclosed and suggested by Ls'le, 
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Accovdiugiy o.nc tifordmary ^kili in art would not be snotivatcd io combine IMc wiih 
1 i.su. Acc(irdingi>\ Hsu adds j-so iunher tcacliirigs to cure \hc deficiencies in L> k- and llicrcfore 
ihc conihination fuils suggCL=i olriin- 5 4, 

!ijMns...Li.ai.i.d..50 

For ihe piirpo>^.e3 of ihi;^ appcai only, cLiur.s 15 juti slukI Ud- Uigetlk': l \ ^ is 
rcprcseniative of diis gi-iup ui ckajTis. 

Claim 1 5 requires lhat ba.sed on fhc .sect«id Oitosi^olJ. tin- S'iieket-- ^re d;v iced \n{<> nwu 
buckets confr.dvicd um fewer buckets. L>ic faib djscl>>.sc the ehumje soe^nsd tbu-su-dd 
divide or combine buckets, 

Cj^^urih j6 ond 51 

r'or ihe punx'fles Ld ths^ appeal \h tiaiCi^ If a'K^ >taa..«\. ^\^t!.''C.' C] nr^ < .s 
represcnialivo o\ this group of tlaims. 

("laiBi lo further lirniLs ckurn 14 anl .Oviics ,nsjt,i.STv>us \> u Md.v vfie .-^Uu...,!. t.o a 
J V<.i^ U .1 nro.. ■ of new bvickcLs coiitaKUii^' aia^s di.ti> Ol t 5 1 1 >c o 'g ' ^ . b >.ko \ s'c c oc^ 
, * (.a^UOsb sde buckets and because I >]c i^cjc'^ ss >.uuev . ^ ..J e^ (.5 '-^ vsuh.dno' 
\. ^ vsj divKimg ti bucket in.> a dUi* 'cn*^ tii rihe .^jxi leui ? i^ieos- n . 

I . IS ^ S'^ .\d ^ - 

^ 5 'he ^aif«>sv. h^ap;^^.\ i\ d »n ^ I" a iJ ; •>tand o . I -,ei cs t hr s 

! r " X. buJ , c' ii 1! M u> 'e>:uise ire ha. \ ru e. ad ^.^t J e at \< 

rui^v > b .Isasi,' rt ^ibei f a. ,.\s.!s vUaii^ic^ " v. Jv\^^ e.en i . 'e e' a I ts. 
lo d i L . n cs .s, ^ .J vA.ved b^ t tc ^v5rn u- He .>a,>K K! ^er eid^ d U H.. . ^ 
Lus e. t at v< - iM ' ?--^! 

Ner s 'su nei ' ^ e >}, d'^c passage-, K ' v ! ."saNC a o saL._<.sii ^- x.A . % .4 
U^KtiO d^r hi I'^ier a; e t'u len ' unThoi oJbueK.s s holi^,^^ an -^e e r^.i.ket^ 
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Vor the purpi :-,ses of this appeal only, ckvinis 20 and 55 ^and or fall togciiiCr. Ci&\m 20 iy 
rcprcscntaiive oTthis; group of ciainis, 

Clahv! 55 iurlhcr IhniLs claijn :>i lo hash fuiiciion that ci^angcs periodical iy in a 
landoraly st'crci sruaincr st> lliar, packets are reas.signcd to duTcrent buckets, Lyic, as ad-n-iicd by 
the examiner, taiis to sugges! the ckuined Ivdsh Funoiion. Neither I.ylc nor Ihu wouid have o,ny 
use lor a secret hasii liuKUion hyr n^appiiig, since k.yie merely ihiea the liash function as pari of 
lhcc<..vfn:nu-vicalion piotocol wl.ereas Hsiruscs iht: hash: to disiribule CTUTies in arable, bui d(■>e^^ 
not ;^uggo,si any ?uxx.l for .secrecy ir^ how dat;^ records are distributed in ;hc Ivibic, apparently .siiicc 
Hsu colleuls il<..vvvs from devices 0;> the network apparently as pan of a tool to, e.g., where: "... 
the .network can be ariaiy:<ed and possibly redesigned for jmpvoved trarssn.dssi.on of data packct.s 
across Ihe .network 

Ciaim_.5t> 

Claim ,"56 fnrthor hmit^- eiaim 2 ; by comparing the value aecumniaied in thi: buckes. io a 
tivreshoid that depends on the number of buckets. This cki.m is allowable for analogous reasons, 
gi ven in chum 5. 

Claim.Sii 

Claim 58 iurther linrits elaini 2 1 reciting thai the variable nunfDer ofbisckeis dynafrncaily 
adii'Sis the amount 4d" tra.nic and number of ilows aHtniiored, so that die data e<.dlccl;;.;r is not 
vulnerable io a dc]n<!l >d\-e:Mcc atiricL ag.unsl own .re^ourees. I >lc fad^ -o sue:.'.v-^! asiy 
rneeh[ini:.sm to protect the tracking system frcnrj a denial of service attack agairss?. i.ts c-vvj-s 
resources. Variable rnnnbcr of buckets ilynarniealiy prevents stick: a,n e.Kploit. 

CkMnJ?^; 

Chiirr! 5'".J farther limits- claim 21 to a data collector that uses the variable narrfhcr of 
backets to eiliciently iderUify tlic Si.;urce or sources of an attack by break n-g down traiViC into 
diftcrcnt bucket:-^ ursd examining fftari sties accumulated for a parurneter and a corresportdirig 
tljre^bold in eacr; bucket. Lyle doe^s not suggest this icaturc, Lyie uses events and "Messages 
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associaicd with ari i^iusck may be ir ackcd back lo idoniify a imnX x>i ;,u.t;5ck a\ whicii n-cssages 
associated with the attack are entering a ndsvork." flowever, Lyie does not use buckets to 
detenni-ie i.he soui-i.:c ai an atiack, but rather, e.g., '"ynifftu"' irKxiuie coinprised ofone or more 
'^STiifTers". described more ilsUy below, conviiraousiy scans the data being received ai various 
poris oi. varioiis network devices. Ine sjiillers search tor data indicating an actiuil or suspected 
attack, as described more tliii\- beli.:\v, and provide inibrniatior! cor.cerning suspicious data to 
otlK>r n-odules wiihin the tracking system, as deserihed more fully bcio-sv."' in cmitrast, Clain.; 59 
requires tbai the statistics aeeinnuialed tor a parameter and a concspondiug tbrcshoid U\ caehi 
bucket arc u.scd io identity the source of an aitack. 

Claims 69 aTid 7 6 

!-"o>r the purposes of this appeal only, claims 69 am; 76 stand or tbl) togeiher. Claim 69 is 
representative oi'tbis gRiup of ekmns. 

dairii 6V iirnii.s the oiethod of ckdrn 63 \vhi;rein tiie buckets are storage areas in a 
n-icrnory space of ikic nioniior device and mapping tb.e tratiic fiow n-li.; a piurai;iy ofbuckcLs 
comprises uppivins; a liasi- function "fOi)" lo the parameter of the tr?iflic i]o\\' \o oistpiii an mtcgcr 
e<>rresponding to (sue of the buckets 

lyle iaiis ;o seggesl applying a hash {\friCiion, a,s admitted by the exanbv\er and the 
modificatioti r>f i,.yle witb Mi,?;' is not suggested nor provides ^'mapping the irallic ilovc intt; a 
plurab^y of buckets comprises applying a i\ash iuneijor: '■■■r(!iV' to Ihc parameter en'the tiafilc flow 
to i)uipui an integer corresponding to one o.f the buckets.'' 
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Appendix of ClaiBifi 

1 . A Tiificlnine inipicinenied srsethcsU of Tnorviloring ivaffic How in a n^onilorirsg device 
disposed lo it-ceis't- network traffic packets coiiipiises: 

producing staiisUcs coiTC^ponding to a parameter of traffic flow io trace Uic Si.surc-;.- ol'an 
attack, wiih producing fisrthcr compriSiJig; 

n-iappij^g the irfiffic ilovs- info a pUirality (u'buekeus by upjilyitjg a hasrj function ''f(h)" to 
ilie paranit'ter at the ■raizlc fli.nv io cmtput an mtcger corresponding to one ofthe bi.!cket::;; 

accuniislating statistics from the packets; and 

covnpii.ri.ng liic ivur.nbcr oi buckets w a thresiiold, arid 

dctcrrfin^i-ig vvhethcr iiie nurj-ibcr oi buckcis sbou:J he dr> idod into sviiMc bu;.kcLs o? 
confDined uilo U;\vcr buckets based csri comparing the unujhe: of bucket lo she ihiC-iboid. 

2. \nv method of claisn i wherein the buckets are -^Uj-cVc a-e.> u- a inen^osN sp i>.e 
of the monitor device. 

3. The rneUKHl e-fcUiirn ; wherein, as f.he iiajTsbct bii(,k.iN cl;ar;:;e.-. ti:e bri< !• i ts 
have values derived ifon- tlic buckets prior to the chursge. 

4. The method of claim 1 wherein the hash function adapts to map to the new 
number <.d biickets, us the siew •lumber of buckets cbange>i, 

5. Tbe oietlnxJ i.;f claim 1 wherein c<'>nipai usl ^tauyuc salut-o -.orap-^v- 
coniparb'jg tfsc value aecumuiaied \n the bucket t'-- a tbsctvl^old thai ckpend^ . r. d^e nui^ix-: 

of bisekets, 

0. The metijod of elaini I uheietii the paranieter K^ the ceun; of hov\ oi.nvs packets a 
data coUector or gateway examines. 



7. 1'he method of ciaim 1 wherein as a value of a pararncier for one bucket 
approaches a thrcahoid, the monitoring device raises an alarm. 

8. The nicthod oi ciaini ! wherein the ha-^ ' u .,1.05 \\ , < =r 
ruixiornly secret rnanner so thai packets arc rc^^ssigned ^M Uis ant ^ i.in 

9. I'hcuicihtH' ; \\hercin the sin.)bie nmnbcr <»j bn.,-i.>.is <i\sv>T^sii ali) 
iKijiJSts the anit^ufi! ofu.uik asul ;!Uij>bc; (>j tk)\v.^ rriuuitorcd. --^o ihcr i e .^^e. h^nn^ u^s ^e .^ o 
vulnerable to a denial rsi" -service atiack against its own rcsonrecs. 

10. 1" he method of ciami 1. Vvhercin tiK^- variabb ^-^ut ^ ^ e iiv.*.. ^ 
idevstifics -he source or Si>urces of atiack by brcakiag down traffic nu<i J "v.\ci\ ...s <' 
exavninijig sifitistics aceuntulated for a parameter and a correspond-na t uv' > ^o < r ^.m <.kc 

1 \. The method ni dann f whereni tlie iraiWi. l•^ joouiivMed ai muiurle le\c^' of 
granularitv, h\a-n uggreg,Uc ?v> sndo-id:uai iU-\\'--. 

1 2. The method M <J.ims 1 \^ hcjcn.i die tncs.iod h apphed l--^ iO: 'iinvruii; ^n' I <.\'^ 
I .^.kv 5 U !J '^ KssoT traiijc, 

n ^ ul ^ a ei 1 s<,hon-,in tiic threshold \5 a Ihst dnv^ii-.^id and tiv.- me\hi>d 

v.t>-i 1 n<> ^ K Jt ahudstai -U- \ .ilucs iloin the injcket;* tc> scc<xnd lare.ff-v>lii \',i:u.s i^^- 
e n '■j^ \\\ J i e* >. ls oi signilicaT^ee, 

\ ' Tifi . 0" a" rnniik-f rcsulrii^; on a conipiiter readahie ibr ninn;\-nijy 



map traffic flow iirio a piuruiily of buckets by applying a hasb funclio-i 'Msh)" to a 
piiiairictcr ofiiic traUii.- i1(.rvv to outpui an integer L-OiTcsporiding io one of the buckets, 
aesjuoii-lato siatistics froni the packets; and 

compiire the accuniulatsti siatLSlic values from the buckets io contlgurtxl iliresiiold vuhies 
corresponding to tbc -iujTibi'r of buckets io deicnviioc th;ii an event is of siurnfiCiirsce; umi 

adjust il-se num ber of buckets as the niunber of buckets approaciies a second ihreshoid. 

1 5. The computer progiam product of claini .14 whereby based on ihe secojui 
thresboid, ihc bLickcts are divKied xnUt more biKkets or combined into fen-er buckets; 

j 6. rhe co'tnpuier program prt.iduet of claim ! 4 witerein histruciions to tnotriior 
■further comprise instructions to 

di-eide ti-se biickc"^ into ii dillerent number t>f new buckets cooiairdng values ilerived from 

the original bucket. 

11. The computer progran') produci of ciami 14 wherein the hash function adapts to 
oiap io the new uiiuiber of backets as tiic new number of bitekets changes. 

1 8. The computer program product of claim 1 A wherein the parameter is the cousu. of 
how many packets a data coliecior or gateway cxannries, 

■] 9. 'fhc eompuf.cr prograirt product of ckum i 4 whcrerft the buckets are stijrage area>^ 
in the nierriviry space i.if d^se rr;oniior device, 

20. flic cornputcT nr-c-gram product td" claim b-l wherein the k^ash f-ntctson changes 
periodicariv in a rarsdondy secret manner so that packets arc reassigned io different buckets. 



21. A data colkicior to collect stuii>;iical infomuiiiovi about aetwork fiow;; conjprises: 
Li conipulc^r readable nicdiura; 

ri con5pi.:!.5ag device that executes computer progrant product 3'u;rtHi on the coynpulcr 
readable Tncdiisn- compriiiing nistruciiony to caiiae the cosnputing device u*; 

nuip tndne ilow ivito a plurality oCbuckets by lippiymg a hash lunciiori "III-)'' to die 
parankner oFthe traffic flow to e-utput an iincgcr coircsponding lo one of the buckets; 

accumuiate suui>;sics iror{\ the packets; and 

cosTvpare die accurnuiaied staiisiic values from the buckets to configu-ed threshold values 
a)rrespi.>nding u? ;he jiun-bcr of buckets lo delennine that an everit is of sigrdticaiice; and 

adjust the number vf buckets as the nuaibcr of biiclarts approaciics s .scccrad thresiiohi. 

tdarnis z2--4y are canceled. 

50. rhe data coilcetor tU'eUdrn 2 1 wheroi-a based o.n the second threshold, t.hc buckcLs 
arc divided -nto iix^re buckets or confoincd into fevver buckets 

5 1 . rhe data concctor of eiairu 2 !. svbercin instructions to monitor tlsaiier con-prise 
instj'uctions to 

divide the bucket into a ditVerent number of ricw buckets containing values der-ved Frora 
the original biscket, 

52. The diata colleetor of cVaini 2 ! Vvbcrein the hash iunction adapts to n?ap to the new 
nuiTsber oi bvickets as the nesv nunibcr (d" buckets ci'ianges. 

5}-. The data eoiJeeto]- of" claim 2 i wherein the para,meter is the coxmi of how many 
packets the data ccsrioetor cxasniue?. 



K.5r:<>i\ .space of^sj -liuTiif.^j Ocm<.>' 
,f buckets. 



-1 i^a >„(^ilocU>^ Cia.n 21 \^hrik:in a^ a \aKie a pasa roU i am' hj^^i 
.^'!U\!c)h-s . jMos;k>:<.i, Ml, K'tonra <ic\\c ua\cs an Au^n. 

Hic J ra Ci'llccto! ofcMJV.^i ^^^R'iv^U!ll,• ^ anah>o .'un .-v: tViCkc:-' 
>njir5caM\ v!J\io*..- t.ju amount of ::affio and number v>l Tl<n\ ;rc>;a{oivr; - ^ 'bi'i lac Jata 

\h -Uw A>'k\\ov M\'i.hn 21 'A iicu-in the \ an aKo -aasr^v. o -J ■i.^kc.^ oLkitnM, 
xaPiisauL' ^taiK4-.^ acciajisi. ak\l tbi a .■>a:anick£ and a i.t>::o'-pondms> shRsbolc -ss o *h cko* 

!ii il-> >^Ua cuLcc^H ckiir; 21 'vvhca'ir tiic 'sai lit ^■^ !}-))Uo-'; sn-M-ix m^o. KP 
avkos .aiu>.> a5,.Lcp:os-.0) naff.c 



62. llic diU.a collector of claini 2 i wherein ihe ilircshoUi is a (irst thresiu'ld ami the 
conipu!.cr program further c-.vniprises instruciioiis to: 

compare aocLuriuialed >;tiUislfc. values froiii the buckeis; Ui -iccond ihrcsi-old x-alues i.o 
dekn'nrine th^i asi event of significance. 

0.3. A method i.d iTK>jiitoring iraliic .ilovv' in a monitor device d.isposcd k> vcceivc 
nctwi.irk. packets, the ntethod conipri-ic^; 

protlucuig statisttcs corre^;ponding to a parameter of the Iraflk ilow to trace a sovtrce ■>.[' 
ar; attack, Wiih pr(?dt.;cij.ig .fu.rlhcv coiiipri.stiig-. 

n-apping ihe trairic How inio a plurality of buckets; 

varyisig the siutnbcr of buckets accLirt.hn.g io the amount of traffic ar>d ra-irfhcT- of flows to 
bicakdovvr: traftk: Row isito differe.nt buckets; a.nd 

analyzirsg statistics accumulated ibr a parameter ;u;d a corresporidirig d-reshold in il^e 
bucket to identify the source of the attack. 

64. The method of elaim: 63 wluTcin varying varies the nunfoer of biiclans .se; that the 
monitoris-g d;/\ ice is not vulnerable to DoS attacks against m ou n resources. 

65. The 5nethod of ciain'; 63 wherein varying dtc number of buckets ccnnprises: 
comparing d-e nrirribcr of buckets io a thrcsiiold riinnber of bucket;^; 
deiermiiasig vvheiher ihe number of backets should be di vided into more buckets or 

ccimbined into vewer bueketa based on cornparing the iumft^er of buckviis io the threshold aJKl as 
the ntinftx^r of btickeis charigcs.. ihe buckets have values derived Ifoni the buckets prior io the 
chartge, 

66. '['he nieti'iCHt (.d'clarin 63 vviierein further comprising; 

coniparii-g accinuubitcd st.atistic viiiues irofn the buckets to sec(.>nd fnrc«h;.dd values io 
deterniirie dnu. ar; event is of significance. 



iuciuuuKuHii; -.^uu.siHj \ L i-.'s fro5!) tbc p.i-Ja.1s; and 
of DUCKetS. 

1^" ! iii. nictiioi.! oi cLisnj sv hcicm the bucket^ a'o arca^- ; j rjcux>:\ --f.u!.c 

of I ic HK-iiUoj uc\ stc ond fr.ap j-nig the nojiic tl<n\ itv..- a plio j.iis v-f J\0!s cu^np-r-^c- 

.'opKu-i; J l:.ish x-ro;-; ''!fJ=^V' the par.uht,{OT t'l t:>.d!Ic :o >..;;p!;.J a-) miouyj 
corresponding to one of die buckets. 

\ cop;pulO' 0K>t;5.i-j riodu»,{ ■i.;-!din^.' on ^on^pvStOT icaoat\o nc/rnr.j u\ 
TKiKutoinjs^ {\vA\ IL'^ '.n a ^rcsnr.or dos'o.: dn-poscd lo icccn c rcbAOiL pao\ct she v\>ripi^se: 
psOiiian-; psocK.: v.on-pii^c- Hshi.vS^iU'Ms lot ^-au^^iuii iho at.\ :ce to 

p>'odUv.'c oUiUMx.^ i.oiU'$pOi\l:ns> a |\ir<in-iOtc5 o5 fUc I'.dlij llo\s '.rr.ct.- -or-cc o^\ai 
.,:Ui^.k, w.i.i pj-od\.:o^/ U'Uhof .oir;->ii'->ug 

iiiap the Lrafnc floxv into a pluraiity of buckets; 

vary ihe raar-ber of backets according to the amount oi trUric anO nrun^x^'- fur^.^ So 
brCfikdovvvs die tralDC now inii) differein bvickcts; and 

Mnalv'ze stadsdcs accuiuulatcd for a paranietcr and ix corresijondirig th-a^shoid in dhe 
bucke: io identify a souicc of die aiiuL'k, 

71. Hk' conrpi!{cjpn-.}grayri product of claiTr: 7{n\i.c'v.'r i4-av.K> ^. ^ss^ \axX 
rauTiber ofbiickeis so Ih^a die nioniioring device is not vulnc! .'dc (>a J\ k vn il » r-i v\ a 
resources. 
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■M The Ci.5TnpL5i.cr pfog.ran5 p-dduci ui claim 70 vvhcrei.n irisiructions to viu-y 
v(.)?r!)-.5ri scs i true ti r.ns iv : 

co.n-pare tl -c nun^bci- oi biLckeis }.o a {}i.t e.shoki number of buckets; 

dctcnniije Vv'.he'J5e!- the nun-sber oi buekeis shoxM be divided inio ynorc buef^i.!^ o: 
c<.>mbini.'d intv.; .fevvCr bueketH based on coinparing the number o.f buckets l;) the thiCM-u'iu an! as 
the number ■;l'buckcts changes, the huckotrf have values ilerivcd Iroiri the buckets jvi^^r u-^ :he 
change. 

73. The cc.siTipiuer pvi.-jgTam product of eiaini 70 fu'tber coniprising instrueiions io: 
cnrapare aceuniuh.Ued statistie values Ivotu ihebuckcis to sceond ii\re$hold values io 

dtlenrhnc tiust ;;.n cve;H is of si,aiiricancc. 

74. I'hc eotvipuicr prograrsi product ofekurn 70 wherein instructions lo co.n-pare 
Statistic values comprises, mstructions to; 

;!eeur:adate ytalisiic valuer from die packets; and 

compare the ^'fj!lses aecun-sukvtcd in the buckets io thresholds thai dcpciul on the jujnsbcr 
of buckets. 

7.^ The co-npvrrer prograns ]:>roduct of ciaim whcrei.n the variable jiurnbej- <.u" 
buckels dynar:iicaiiy adjusts Ihe ar:.iour:i c.if iraffie arid ninnber f)l"fk.ivvs raoiuiiircd, so ihat s.he 
rnoniiorrng device is not vulnerable to a denial of service attack against its own resources. 

76. "ll\c eonipuler program product ol elainj 70 vs-hercin the bu-:.-kcts are storage areas 
iri a memory space of Uie i7K>sui<..)r deviee and inslruedons to iriap the flow mio a pkivahty 

of bLickcLs comprises iiistriLctlons io; 

a^iplv . .i.^r Lmc' vu ^bj'iY *o ihe parameter of the traffic tknv to output an ins.eger 
co"-e«pnn<i«ns5 k» one "t *e nsicsefw 
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77. The data collCwtor ol'ckiim 21 further 
a port to link ihc daia co]U;cf.i.>r lO a ceiViral coniro! cent 



None 
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